Malware Attacks Reveal European Cybersecurity Gaps

In the wake of two major malware attacks in Europe this past summer, contractors based in the region who wish to do business with the Pentagon and other U.S. government agencies need to ensure proper cybersecurity measures, according to one analyst.

In May, the United Kingdom’s National Health Service and other organizations were infected by ransomware called WannaCry. It affected more than 230,000 computers in over 150 countries. Less than two months later, a malware variant dubbed NotPetya attacked several major U.S. and European companies.

These attacks reveal that malware is growing increasingly sophisticated to the point that it is “virtually impossible to detect” with standard cybersecurity protocols, said Timothy Crosby, senior security consultant for Spohn Security Solutions, an Austin, Texas-based information technology consulting firm. That should encourage European companies looking to work with U.S. agencies to enhance their procedures, he added.

NotPetya “devastated Europe because they don’t have the type of programs that our Department of Defense and national security infrastructure” has, he said.

A 2017 report by cybersecurity firm FireEye said that “general awareness of the risk posed by cyber attacks, while increasing, remains low” among European companies.

Only 31 percent of businesses reported having a strong understanding of their cyber posture in 2016, while 9 percent of surveyed organizations did not even include cyber on their risk register.

“Despite this progress, European companies, like their counterparts around the world, have a long way to go to keep pace with the dramatically changing threat and regulatory environment,” the report said.

These organizations cover a wide range of sectors, including health and communications. Crosby noted that the recent malware attacks did not seem to impact contractors working in national security.

Defense Department cybersecurity regulations are very stringent compared to the regular commercial industry, Crosby added. But smaller European contractors should heed this warning from the NotPetya attacks, he said.

Businesses should invest in a patch management system that is implemented across every device that uses the network, Crosby said. Ensuring proper password security and teaching their employees about cyber hygiene is also key, he added.

Many companies go through what Crosby called “checkbox training,” teaching new employees through a computer-based session and holding annual review sessions in order to meet compliance standards. But that may not be enough, he noted.

Companies should bring in a security consulting firm to test countermeasures. They should assume that they would be targeted eventually if they have not been already, and take steps to mitigate any potential damage, he added.

“It’s not a matter of if their network is going to be compromised; it’s a matter of when,” he said.